Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 55

Thread: A Troublesome DLL file

  1. #16
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    All you have to do is set up your own web server, (read some docs and throw up a basic server on your Local Machine)

    Then, if you know the website, for example, www.blather.com, you go to "C:\windows\system32\drivers\etc" (this is the path on 2000/XP) and you will find a file name "hosts" (there is no file extension on it). Open this file in Notepad and add a line

    127.0.0.1 www.blather.com

    THis makes your system resolve blather.com to your local machine instead of asking a DNS server. Then, the application will unwittingly be going to your own web server. Now, if you know the page it's going to, just set up a similar path and page name on your own web server, and change the data (the page) that comes back so it's what it needs to be.

    Simple.

    -nt20

  2. #17
    Partial Attitude Adjustment noted.

    I have taken the liberty of merging this with your most recent thread and will include a reference to the others of this series. Part of the problem is that you keep making new threads when you are still talking about the same original problem and you really provide insufficient information each time you restart the discussion.

    For anyone who may be interested, he has a protection system that uses a DLL file to validate a email/cdkey/online registration system and he has to connect to a remote server to validate his online registration. He has now apparently determined that it runs a perl script to vaildate his target and he thinks he wants to "read" it on the remote server.

    If you are interested, you can review his other threads on this same topic at:

    http://www.woodmann.com/forum/showthread.php?t=5590

    and

    http://www.woodmann.com/forum/showthread.php?t=5600

    You mentioned in one of these prior posts you still have one working version on another machine. Have you, by any chance, attempted to run a file comparer on the "good' version and a "not good" version to determine any differences and to see this "perl script" changed anything on your file?

    And "Daddy Jiggles, The Hemp Clown," you are not going to win any points here (except maybe with your homeys) by pointing out typos in my posts. Everyone but you already knew I make typos and can't spell. You STILL aren't paying attention to the fact that I can edit or delete your posts at will, but you've already demonstrated you learn very slowly.

    Regards,
    JMI

  3. #18
    DaddyJTHC
    Guest
    I am in the process of doing this, using regmon & filemon, the program itself doesnt do an online check after the first time.
    I'm still comparing the lists.


    Side note.
    I'm sorry for making new threads, I will cease. Thank you for your patience.
    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    If you are wading through a regmon log file you might find this thread useful:

    http://www.woodmann.com/forum/showthread.php?t=4162

    Kayaker wrote a tool to reduce the duplicates in the log to make finding what one may be seeking easier.

    Again, refering to your earlier posts, if you have five "valid" re-installs, there has to be a countdown entry for the server to check against. Each time you re-install, it has to reduce this "entry" by one and to check it, there most likely has to be a compare instruction in the checking routine.

    Regards,
    JMI

  5. #20
    DaddyJTHC
    Guest
    I agree totally, I've pretty much chopped there webserver up looking for an answer. Basically as far as I can gather, each install get added into there database.(I couldnt find it) BUT After the intial check it doesnt make anymore attempts to verify. Either a file is downloaded or a registry entry is made. I havent determined which of the 2 is true.

    Thanks for that link, it will help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    And another thought:

    You are aware, are you not, that VISE offers not only free copies of its software for downloading, it offers free copies of its User's Guide for downloading. Anytime you are attempting to reverse a protection system, it is a very good practice to obtain as much information as possible about how the maker describes its workings.

    They also have a set of examples for the 3.1 version, including documentation and examples, for things like:
    Default Install Location
    Default Registration Info
    Does Registry Key Exist
    Uninstall Existing App

    It is also a fairly good probability that the program itself is protected by the same general systems they offer to their customers. One of the things included in the program is an updater, which includes a reg snapshot and difference comparison tool which maps all the changes made to your system with the installation of the program protected by their products.

    Regards,
    JMI

  7. #22
    And yet another thought.....

    Have you, by any chance examined the dll with IDA? There are some references to two CLSID's where your counter and/or validation might be hiding. There are also references to "AppKey," "SingleKey," and "Last Key." And have you looked at the .inx file which comes with the Release program? The one with the demo only refers to the "free version" and I suspect that they might have learned the lesson that the only safe demo is an incomplete one. However, if you reviewed the Manual for Vise and compared the .inx file for the "free" demo to the Actual Progrom which you still have on one of your machines, I believe you would find useful information by doing a compare of the two files.

    Regards,
    JMI

  8. #23
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    However, if you reviewed the Manual for Vise and compared the .inx file for the "free" demo to the Actual Progrom which you still have on one of your machines, I believe you would find useful information by doing a compare of the two files.
    I will definitly check this, I have view the dll in IDA, I could understand most of it. I will do this now.

    Thanks for the info.
    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    I did notice that the DLL had string compare functions and writes to a particular CLSID. Have you checked that one for the "good boy/bad cracker" and/or declining installs?

    Regards,
    JMI

  10. #25
    DaddyJTHC
    Guest
    Quote Originally Posted by nikolatesla20
    All you have to do is set up your own web server,
    I have a local server, and can get it to connect to it, but i dont know the information that gets returned, if only it were that simple.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    writes to a particular CLSID.
    I have notcied this, and have spent alot of time in my registry lately, the machine that has it installed finds the key and queries it according to regmon
    QueryKey HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9} SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}
    then again
    QueryValue HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}\ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47

    So how can I now, convert this into a registry entry?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    DaddyJTHC:

    There are a number of things going with this install and you do not seem to be approaching them "logically" and/or sequencially. You have a DLL which identifies itself as VISE and you have a "setup.inx" file. Are you aware that the ".inx" is an Installshield script? Have you decompiled it and looked at the code for the "free version" as compared to the "purchased version" like I suggested? Assuming you have original install disks or the original install package, simply starting it and letting it run to the point where it asks you for the serial number will provide the needed files in you temp directory, as you have already discovered. You can simply copy them to another folder before you chose "Cancel" and close out the program. There are decompliers that will disassemble these ".inx" files very effectively and can be found on various tool sites with a search in your favorite search engine. WHERE to find it is NOT something you are supposed to ask here.

    You said the purchased version has only five installs. Well, obviously, it has to keep track of how many installs you have had "somewhere." This code has to be recorded in a "reg" file or a temp file or a registry entry. Assuming the possibility it is a registry entry, you need to look for code in the ".inx" and/or DLL file that WRITES to a registry entry or writes somewhere else.

    We can also assume that the vendor needs some way to "know" how many instally you have/had so they do not validate an attempt in excess of their limit. We can also assume, if they arent' completely incompetent, that they have a mechanism to check that it is not installed "five times" on as many different machines as you want to put it on. So you can expect and look for information that determines your Volumn ID information and/or HD and/or CD identification and/or OS information and something that may send this information to their server and/or writes it someplace on your machine. I see in the DLL and the INX file references to date parameters and their server could easily store the date of first-through fifth installs by recording these type of dates from where they are recorded on your machine.

    Now you know that the DLL has references to TWO different CLSID keys. Do you know whether it writes to both or only one? If it writes to only one, does their server write to the other? Have you logged what goes OUT when you log on to their server? Or were you only thinking about what came IN? You regmon entries should show you what was QUERIED and what was SET and may even show by whom.

    Another good place to look may be in the comparison of the registration checking function for the "free version" vs. the "purchased version." In the "free version" there is a StrCompare(global_string15, "521-1217-00004") which is supposed to be "local_number6 = (local_number6 != 0)" and if the result doesn't equal "0"

    if(local_number6) then // ref index: 1
    @00004F8C:0021 MessageBox("Invalid license key. Please re-enter.", -65534);
    @00004FC0:0005 goto label_4df4;

    which goes back to the enter password screen. Your "valid" password for your install may be hard coded in your "purchased version" .inx file, and if it is, this would suggest that their server is really checking the number of installs recorded against that serial number. Finding where this data is stored on your machine and what part of the DLL and/or .inx file access it should lead to where they check and should reveal what the proper result code might be for the "good-boy" result.

    Regards,
    JMI

  13. #28
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    Have you logged what goes OUT when you log on to their server?
    Yes when reporting to thier server. It transmit the folloing information
    email|cdkey|machineid
    in a custom hex-let hash format.

    this in turn causes the page to be returned
    DPERROR:1 Key used to many times!

    So based off what you have said, during install the program could download a different setup.inx if the cdkey verification process succeeds.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    DaddyJTHC
    Guest
    Another thing I have noticed is the frequest usage of the NTUSER.DAT.LOG file, is this common to use this file?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    OK. That tells you the server keeps track of the number of times the serial number is installed and probably checks for which email address and machineID, but it could just validate it five times regardless.

    You need to answer some questions:

    1.) Does the "purchased" version comes with a different ".inx" file and/or do you know whether or not it has the same dll file.

    2.) How did you receive it? Do you purchase it on line and receive disks, or was it sent to you by email or download from their server?

    3.) Do you have a copy of the original install exe on one of your machines? If so, what is it's size in KBs?

    4.) When you get the error message "1 Key used to many times" does the install stop altogether, or does it just install the "free" version? I do not find that error message in either the "free" ".inx" or Dll files.

    5.) Do you have a copy of the "purchased" ."inx" file and have you decompiled and compared it to the "free" version? Does that error message appear in its text?

    6.) On the machine where it is still running, have you tried to get an update and if you try, make sure to record what is sent and received.

    7.) I assume that Q5MDB-A5CG-YZEY-APBD9 was the hash of the original serial. Is that correct?

    8.) What are the entries on the working copy for the A88A6800 Key and for the B43CCF60 Key, as shown in RegEdit? Do you have another copy installed on another machine you can compare those entries against?

    Regards,
    JMI

Similar Threads

  1. Why such a big file for what it does?
    By Swimmer in forum The Newbie Forum
    Replies: 6
    Last Post: June 5th, 2007, 03:40
  2. help for converting map file of ida to sym file sice
    By farzad23 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: September 9th, 2005, 23:31
  3. how to use a .map file?
    By xili in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 8th, 2005, 08:09
  4. exe file
    By NonPanic in forum The Newbie Forum
    Replies: 2
    Last Post: May 20th, 2004, 11:09
  5. VB help file?
    By MrSmith in forum The Newbie Forum
    Replies: 3
    Last Post: October 22nd, 2003, 00:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •